After getting situated with being able to define a simple message and service with protobuf and gRPC, the next thing I want to tackle is authentication, but not authorization, yet.
This is an area where I haven’t really spent a bunch of time. I’ve gotten my head around basic asymmetric key concepts and why they’re good for what I want to do here. I’ve also gotten my head around the fact that I don’t need to worry about that. So, I got that going for me, I guess.
On our current system, CRM uses Active Directory Federation Services (ADFS) to authenticate users. We could possibly use ADFS to authenticate users here too. gRPC has the ability to plugin WsFederation. However, it’s a bit to get to working. And I’d likely need a personal ADFS setup to test against. And I’d likely need a personal Active Directory forest. And so on and so on. Next thing you know, I’m three months in, shaving the yak, screaming about how I’m working on authentication.
So I started looking into just handling it myself. If I can pass the credentials myself and just create a token and send that back. But then I run into the issue of that being frowned upon. And the whole idea with this operation is to stop frowning on things.
So JWT that down
Hello JSON Web Tokens (JWT), I hope. They’re supported by C#’s implementation of gRPC, I just have to write my own token validator. Which means I need tokens to validate. Which means I need to somehow issue tokens. Or find something that will issue tickets for me.
Fortunately, all of our bidness is on Azure AD (AAD). Or unfortunately, however you want to see that. However, AAD can issue JWTs. And they’re all integrated with the organization’s AAD, which means, if they’re in our forest, they’re in our system.
This takes a bit to get working though and I’m not sure if it’s entirely kosher. First thing you have to do is set up you app in Azure. I don’t know if there’s a more streamlined way to get where I want to go, but I’m sufficiently lazy so all I remember is I need to start by going to the Azure Portal. If you’re not logged in, you’ll have to do that.
After that, I’m presented with three options, with the middle option being “Manage Azure Active Directory”. That’s what we want. Once you’re in there, there is a menu along the left hand side. Go into the “App registrations”, because that’s what we have to do. Create a new registration and set it up to taste. I’m not going to tell you if you need multi-tenancy or not. I don’t, you might. Redirect URI is optional. That’ll get you where you can authenticate, but your tokens won’t validate and none of your calls will work.
To get our ticket to validate, we need to make essentially application specific permissions. The main thing we want to do is “Expose an API”. We’ll need to define a scope and authorize a client application. Then when authenticating to Azure AD, we need to specify the scope we defined. And when validating the token, we need to use the Application ID URI we had to create.